Re: [XHR2] AnonXMLHttpRequest()

Tyler Close wrote:
> On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <> wrote:
>> Another thing that might be worth noting is that if the UA contains a
>> HTTP cache (which most popular UAs do), the UA must never use a cached
>> response that was the result of a request that was made with
>> credentials, when making a request without. The same goes the other
>> way around.
> I gather this is because sites do not reliably use the Vary header?

"When a shared cache (see Section 13.7) receives a request containing an 
Authorization field, it MUST NOT return the corresponding response as a 
reply to any other request, unless one of the following specific 
exceptions holds:..."


> ...

BR, Julian

Received on Wednesday, 3 February 2010 21:34:33 UTC